Results 1 to 9 of 9

Thread: canīt find OEP with DUMP Plugin

  1. #1
    greg
    Guest

    canīt find OEP with DUMP Plugin

    Hello

    I read some tuts about " how to use Olly dump "
    The tuts are about asprotect protected examples and fsg protected exampels.
    and itīs always like this :
    1.load the exe
    2. Plugin->OllyDUMP->Find OEP by ....
    3. Wait while Olly is tracing
    4. Dump at the OEP

    But this method does not work with my olly.
    Olly always says
    Thread XXXXXX terminated, trace stopped
    and do not stop at the OEP or find the OEP

    My olly only find the OEP when i use upx packed exampels.

    Can somebody help me?
    Perhaps i have to change some Debugging options because in the tutorials everything works fine.

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    canīt find OEP with DUMP Plugin

    In asprotect this method does not work.

    1)go to DEBUGGING OPTIONS-EXCEPTIONS and quit all marks, only let the first mark.
    2)RUN
    3)the program stop in exceptions pass all with SHIFT + F9.
    4)look the value of the last exception befores the program begin.
    5)repeat the process again restarting the program and go the this last exception before the program begin.
    6)PASS WITH SHIFT + F7 (NOT f9 in this moment)
    7)go to VIEW-MEMORY and in the section code (STARTS in 401000) put a BREAKPOINT MEMORY ON ACESS.
    8)RUN
    9)WHEN THE PROGRAM STOP IN MEMORY BREAKPOINT ON EXECUTION (look in the lower left corner) you are in the entry point, or if the program has STOLEN BYTES in the first line executed of original program.

    Ricardo

  3. #3
    psyCK0
    Guest

    canīt find OEP with DUMP Plugin

    Nice technique Ricardo! How do you recover the stolen bytes?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    greg
    Guest

    canīt find OEP with DUMP Plugin

    Thanks a lot Ricardo !
    You really helped me

    Hmm..
    Can i ask you one more thing? Hope you donīt get bored

    Is there a similar way for Aspack, because with Aspack number 3 ( stop in exeptions pass) donīt work.

    Greg
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    JDog45
    Guest

    canīt find OEP with DUMP Plugin

    Ricardo always knows all kinds of tricks..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6

    canīt find OEP with DUMP Plugin

    well the stolen bytes are long for explain in a forum , i have tuts but this is not a cracking forum, but the general method is look for a value in one register when you reach the OEP or the FIRST LINE EXECUTED OF THE PROGRAM (if eax=0, take other register.)
    Repeat the process till pass last exception and put a bpm in the section osf asprotect (the section of the exceptions), RUN, when program stop
    GO TO DEBUGGING OPTIONS-TRACE and quit all marks and in DEBUG SET CONDITION put
    EAX==XXXXXX

    XXXXXX is the value you read in eax when stop in OEP, and configure RUN TRACE to LOG TO TXT for the case of the stolen erased, in this case in the txt, will be stored and not erased.
    TRACE INTO

    LOOK IN RUN TRACE WINDOW, there are one o two loops for slow the tracing, stop the trace in this case, jump to the end of the loop and continue tracing.

    If the program stop when EAX==XXXXXX you are in the stolen bytes before this bytes are executed.
    In the general cases this work well, if are encripted stolen bytes is other thing, is other method jeje.

    Thos methods of OEP are only for asprotects, not for aspack, in aspack in NT/2000/XP you can use the PUSHAD method (this method function well in many packers NOT ARMADILLO, ASPROTECT, PELOCK, TELOCK)in other packers goes well.

    Execute the PUSHAD in the beginning of the program with f8 and look in the stack

    for example

    if your top value of the stack is

    124478 09009876

    go to the DUMP and GOTO EXPRESSION=124478

    mark the 4 bytes and HARDWARE BPX ON ACESSS

    Rin and the program when stops in the next line of a POPAD are just to JUMP to OEP, press f7 one or two lines and you are in the FTP.


    Ricardo Narvaja

  7. #7

    canīt find OEP with DUMP Plugin

    grr, you are in the OEP not FTP, sorry

    Ricardo

  8. #8
    greg
    Guest

    canīt find OEP with DUMP Plugin

    Yep

    THANKS A LOT RICARDO.
    You are " THE MAN"

    Greg
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Teerayoot
    Guest

    canīt find OEP with DUMP Plugin

    Not nessary to be on OEP.


    You can even dump after stolen excuted.
    but in dumped file let's fix it with the real byte.

    Work well for me (Asprotect).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. HASP DUMP AND EMULATION
    By Liam in forum The Newbie Forum
    Replies: 1
    Last Post: February 6th, 2014, 09:45
  2. NanoMite Table DUMP or ArmInline 0.7.1
    By nick_name in forum OllyDbg Support Forums
    Replies: 5
    Last Post: November 4th, 2005, 15:35
  3. Cannot find GODUP Plugin
    By Praveen in forum Plugins (General)
    Replies: 5
    Last Post: January 4th, 2005, 03:58
  4. Plugin for Ida 4.1.5.520
    By h8er in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: January 28th, 2002, 18:18
  5. Need help with IDA Plugin
    By Polaris in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: November 29th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •